Unrated severityNVD Advisory· Published Mar 14, 2011· Updated Apr 29, 2026

CVE-2011-0700

Description

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress before 3.0.5 contains multiple stored XSS vulnerabilities allowing authenticated users with Contributor or Author roles to inject arbitrary script.

Vulnerability

WordPress versions prior to 3.0.5 contain multiple cross-site scripting (XSS) vulnerabilities in the admin interface. The flaws exist in the Quick/Bulk Edit title (post_title), post_status, comment_status, ping_status fields, and in the escaping of tags within the tags meta box [2][3][4]. These are stored XSS issues that affect authenticated users with Contributor or Author roles [3].

Exploitation

An attacker must have a WordPress account with at least Contributor or Author privileges to access the post editing screens [3]. The attacker can inject malicious JavaScript into the vulnerable fields (e.g., post title, status fields, or tags) when creating or editing a post. The injected script is stored and executed when other users (including administrators) view the affected post or the admin interface [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to session hijacking, defacement, or further privilege escalation within the WordPress admin area [2][3]. The vulnerability is considered moderate severity.

Mitigation

The issue is fixed in WordPress version 3.0.5, released on February 9, 2011 [3]. Users are strongly encouraged to update immediately. No workarounds are provided; updating is the only mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/WordPress2 versions
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=3.0.4
- (no CPE)range: <3.0.5
Package: https://wordpress.org/plugins/wordpress

Patches

6348d2a8d626

Run sanitize_key() on post_status, comment_status, and ping_status on the way into the DB. Props duck_. For 3.0

https://github.com/wordpress/wordpressryanFeb 6, 2011Fixed in 3.0.5via llm-release-walk

commit

1 file changed · +3 −0

wp-includes/default-filters.php+3 −0 modified

@@ -73,6 +73,9 @@
 foreach ( array( 'pre_post_type' ) as $filter ) {
 	add_filter( $filter, 'sanitize_user' );
 }
+foreach ( array( 'pre_post_status', 'pre_post_comment_status', 'pre_post_ping_status' ) as $filter ) {
+	add_filter( $filter, 'sanitize_key' );
+}
 
 // Places to balance tags on input
 foreach ( array( 'content_save_pre', 'excerpt_save_pre', 'comment_save_pre', 'pre_comment_content' ) as $filter ) {

be60cf359ada

Preserve tag escaping. Props koopersmith, Nils Jueneman. For 3.0

https://github.com/wordpress/wordpressryanFeb 5, 2011Fixed in 3.0.5via llm-release-walk

commit

4 files changed · +26 −15

wp-admin/includes/post.php+2 −0 modified

@@ -689,6 +689,8 @@ function get_post_meta_by_id( $mid ) {
 	$mid = (int) $mid;
 
 	$meta = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
+	if ( empty($meta) )
+		return false;
 	if ( is_serialized_string( $meta->meta_value ) )
 		$meta->meta_value = maybe_unserialize( $meta->meta_value );
 	return $meta;

wp-admin/js/post.dev.js+22 −13 modified

@@ -36,30 +36,39 @@ tagBox = {
 	},
 
 	quickClicks : function(el) {
-		var thetags = $('.the-tags', el), tagchecklist = $('.tagchecklist', el), current_tags;
+		var thetags = $('.the-tags', el),
+			tagchecklist = $('.tagchecklist', el),
+			id = $(el).attr('id'),
+			current_tags, disabled;
 
 		if ( !thetags.length )
 			return;
 
-		var disabled = thetags.attr('disabled');
+		disabled = thetags.attr('disabled');
 
 		current_tags = thetags.val().split(',');
 		tagchecklist.empty();
 
 		$.each( current_tags, function( key, val ) {
-			var txt, button_id, id = $(el).attr('id');
+			var span, xbutton;
 
-			val = $.trim(val);
-			if ( !val.match(/^\s+$/) && '' != val ) {
-				button_id = id + '-check-num-' + key;
-				if ( disabled )
-		 			txt = '<span>' + val + '</span> ';
-				else
-		 			txt = '<span><a id="' + button_id + '" class="ntdelbutton">X</a>&nbsp;' + val + '</span> ';
-	 			tagchecklist.append(txt);
-				if ( ! disabled )
-		 			$( '#' + button_id ).click( function(){ tagBox.parseTags(this); });
+			val = $.trim( val );
+
+			if ( ! val )
+				return;
+
+			// Create a new span, and ensure the text is properly escaped.
+			span = $('<span />').text( val );
+
+			// If tags editing isn't disabled, create the X button.
+			if ( ! disabled ) {
+				xbutton = $( '<a id="' + id + '-check-num-' + key + '" class="ntdelbutton">X</a>' );
+				xbutton.click( function(){ tagBox.parseTags(this); });
+				span.prepend('&nbsp;').prepend( xbutton );
 			}
+
+			// Append the span to the tag list.
+			tagchecklist.append( span );
 		});
 	},

wp-admin/js/post.js+1 −1 modified

@@ -1 +1 @@
-var tagBox,commentsBox,editPermalink,makeSlugeditClickable,WPSetThumbnailHTML,WPSetThumbnailID,WPRemoveThumbnail;function array_unique_noempty(b){var c=[];jQuery.each(b,function(a,d){d=jQuery.trim(d);if(d&&jQuery.inArray(d,c)==-1){c.push(d)}});return c}(function(a){tagBox={clean:function(b){return b.replace(/\s*,\s*/g,",").replace(/,+/g,",").replace(/[,\s]+$/,"").replace(/^[,\s]+/,"")},parseTags:function(e){var h=e.id,b=h.split("-check-num-")[1],d=a(e).closest(".tagsdiv"),g=d.find(".the-tags"),c=g.val().split(","),f=[];delete c[b];a.each(c,function(i,j){j=a.trim(j);if(j){f.push(j)}});g.val(this.clean(f.join(",")));this.quickClicks(d);return false},quickClicks:function(d){var f=a(".the-tags",d),e=a(".tagchecklist",d),b;if(!f.length){return}var c=f.attr("disabled");b=f.val().split(",");e.empty();a.each(b,function(i,j){var g,h,k=a(d).attr("id");j=a.trim(j);if(!j.match(/^\s+$/)&&""!=j){h=k+"-check-num-"+i;if(c){g="<span>"+j+"</span> "}else{g='<span><a id="'+h+'" class="ntdelbutton">X</a>&nbsp;'+j+"</span> "}e.append(g);if(!c){a("#"+h).click(function(){tagBox.parseTags(this)})}}})},flushTags:function(e,b,g){b=b||false;var i,c=a(".the-tags",e),h=a("input.newtag",e),d;i=b?a(b).text():h.val();tagsval=c.val();d=tagsval?tagsval+","+i:i;d=this.clean(d);d=array_unique_noempty(d.split(",")).join(",");c.val(d);this.quickClicks(e);if(!b){h.val("")}if("undefined"==typeof(g)){h.focus()}return false},get:function(c){var b=c.substr(c.indexOf("-")+1);a.post(ajaxurl,{action:"get-tagcloud",tax:b},function(e,d){if(0==e||"success"!=d){e=wpAjax.broken}e=a('<p id="tagcloud-'+b+'" class="the-tagcloud">'+e+"</p>");a("a",e).click(function(){tagBox.flushTags(a(this).closest(".inside").children(".tagsdiv"),this);return false});a("#"+c).after(e)})},init:function(){var b=this,c=a("div.ajaxtag");a(".tagsdiv").each(function(){tagBox.quickClicks(this)});a("input.tagadd",c).click(function(){b.flushTags(a(this).closest(".tagsdiv"))});a("div.taghint",c).click(function(){a(this).css("visibility","hidden").parent().siblings(".newtag").focus()});a("input.newtag",c).blur(function(){if(this.value==""){a(this).parent().siblings(".taghint").css("visibility","")}}).focus(function(){a(this).parent().siblings(".taghint").css("visibility","hidden")}).keyup(function(d){if(13==d.which){tagBox.flushTags(a(this).closest(".tagsdiv"));return false}}).keypress(function(d){if(13==d.which){d.preventDefault();return false}}).each(function(){var d=a(this).closest("div.tagsdiv").attr("id");a(this).suggest(ajaxurl+"?action=ajax-tag-search&tax="+d,{delay:500,minchars:2,multiple:true,multipleSep:","})});a("#post").submit(function(){a("div.tagsdiv").each(function(){tagBox.flushTags(this,false,1)})});a("a.tagcloud-link").click(function(){tagBox.get(a(this).attr("id"));a(this).unbind().click(function(){a(this).siblings(".the-tagcloud").toggle();return false});return false})}};commentsBox={st:0,get:function(d,c){var b=this.st,e;if(!c){c=20}this.st+=c;this.total=d;a("#commentsdiv img.waiting").show();e={action:"get-comments",mode:"single",_ajax_nonce:a("#add_comment_nonce").val(),post_ID:a("#post_ID").val(),start:b,num:c};a.post(ajaxurl,e,function(f){f=wpAjax.parseAjaxResponse(f);a("#commentsdiv .widefat").show();a("#commentsdiv img.waiting").hide();if("object"==typeof f&&f.responses[0]){a("#the-comment-list").append(f.responses[0].data);theList=theExtraList=null;a("a[className*=':']").unbind();setCommentsList();if(commentsBox.st>commentsBox.total){a("#show-comments").hide()}else{a("#show-comments").html(postL10n.showcomm)}return}else{if(1==f){a("#show-comments").parent().html(postL10n.endcomm);return}}a("#the-comment-list").append('<tr><td colspan="2">'+wpAjax.broken+"</td></tr>")});return false}};WPSetThumbnailHTML=function(b){a(".inside","#postimagediv").html(b)};WPSetThumbnailID=function(c){var b=a("input[value=_thumbnail_id]","#list-table");if(b.size()>0){a("#meta\\["+b.attr("id").match(/[0-9]+/)+"\\]\\[value\\]").text(c)}};WPRemoveThumbnail=function(b){a.post(ajaxurl,{action:"set-post-thumbnail",post_id:a("#post_ID").val(),thumbnail_id:-1,_ajax_nonce:b,cookie:encodeURIComponent(document.cookie)},function(c){if(c=="0"){alert(setPostThumbnailL10n.error)}else{WPSetThumbnailHTML(c)}})}})(jQuery);jQuery(document).ready(function(e){var b,a,f="";postboxes.add_postbox_toggles(pagenow);if(e("#tagsdiv-post_tag").length){tagBox.init()}else{e("#side-sortables, #normal-sortables, #advanced-sortables").children("div.postbox").each(function(){if(this.id.indexOf("tagsdiv-")===0){tagBox.init();return false}})}e(".categorydiv").each(function(){var l=e(this).attr("id"),h=false,k,m,j,g,i;j=l.split("-");j.shift();g=j.join("-");i=g+"_tab";if(g=="category"){i="cats"}e("a","#"+g+"-tabs").click(function(){var n=e(this).attr("href");e(this).parent().addClass("tabs").siblings("li").removeClass("tabs");e("#"+g+"-tabs").siblings(".tabs-panel").hide();e(n).show();if("#"+g+"-all"==n){deleteUserSetting(i)}else{setUserSetting(i,"pop")}return false});if(getUserSetting(i)){e('a[href="#'+g+'-pop"]',"#"+g+"-tabs").click()}e("#new"+g).one("focus",function(){e(this).val("").removeClass("form-input-tip")});e("#"+g+"-add-submit").click(function(){e("#new"+g).focus()});k=function(){if(h){return}h=true;var n=jQuery(this),p=n.is(":checked"),o=n.val().toString();e("#in-"+g+"-"+o+", #in-"+g+"-category-"+o).attr("checked",p);h=false};catAddBefore=function(n){if(!e("#new"+g).val()){return false}n.data+="&"+e(":checked","#"+g+"checklist").serialize();return n};m=function(q,p){var o,n=e("#new"+g+"_parent");if("undefined"!=p.parsed.responses[0]&&(o=p.parsed.responses[0].supplemental.newcat_parent)){n.before(o);n.remove()}};e("#"+g+"checklist").wpList({alt:"",response:g+"-ajax-response",addBefore:catAddBefore,addAfter:m});e("#"+g+"-add-toggle").click(function(){e("#"+g+"-adder").toggleClass("wp-hidden-children");e('a[href="#'+g+'-all"]',"#"+g+"-tabs").click();e("#new"+g).focus();return false});e("#"+g+"checklist li.popular-category :checkbox, #"+g+"checklist-pop :checkbox").live("click",function(){var n=e(this),p=n.is(":checked"),o=n.val();if(o&&n.parents("#taxonomy-"+g).length){e("#in-"+g+"-"+o+", #in-popular-"+g+"-"+o).attr("checked",p)}})});if(e("#postcustom").length){e("#the-list").wpList({addAfter:function(g,h){e("table#list-table").show()},addBefore:function(g){g.data+="&post_id="+e("#post_ID").val();return g}})}if(e("#submitdiv").length){b=e("#timestamp").html();a=e("#post-visibility-display").html();function d(){var g=e("#post-visibility-select");if(e("input:radio:checked",g).val()!="public"){e("#sticky").attr("checked",false);e("#sticky-span").hide()}else{e("#sticky-span").show()}if(e("input:radio:checked",g).val()!="password"){e("#password-span").hide()}else{e("#password-span").show()}}function c(){var n,p,h,r,o="page"==pagenow||"page-new"==pagenow,q=e("#post_status"),i=e("option[value=publish]",q),g=e("#aa").val(),l=e("#mm").val(),m=e("#jj").val(),k=e("#hh").val(),j=e("#mn").val();n=new Date(g,l-1,m,k,j);p=new Date(e("#hidden_aa").val(),e("#hidden_mm").val()-1,e("#hidden_jj").val(),e("#hidden_hh").val(),e("#hidden_mn").val());h=new Date(e("#cur_aa").val(),e("#cur_mm").val()-1,e("#cur_jj").val(),e("#cur_hh").val(),e("#cur_mn").val());if(n.getFullYear()!=g||(1+n.getMonth())!=l||n.getDate()!=m||n.getMinutes()!=j){e(".timestamp-wrap","#timestampdiv").addClass("form-invalid");return false}else{e(".timestamp-wrap","#timestampdiv").removeClass("form-invalid")}if(n>h&&e("#original_post_status").val()!="future"){r=postL10n.publishOnFuture;e("#publish").val(postL10n.schedule)}else{if(n<=h&&e("#original_post_status").val()!="publish"){r=postL10n.publishOn;e("#publish").val(postL10n.publish)}else{r=postL10n.publishOnPast;if(o){e("#publish").val(postL10n.updatePage)}else{e("#publish").val(postL10n.updatePost)}}}if(p.toUTCString()==n.toUTCString()){e("#timestamp").html(b)}else{e("#timestamp").html(r+" <b>"+e("option[value="+e("#mm").val()+"]","#mm").text()+" "+m+", "+g+" @ "+k+":"+j+"</b> ")}if(e("input:radio:checked","#post-visibility-select").val()=="private"){if(o){e("#publish").val(postL10n.updatePage)}else{e("#publish").val(postL10n.updatePost)}if(i.length==0){q.append('<option value="publish">'+postL10n.privatelyPublished+"</option>")}else{i.html(postL10n.privatelyPublished)}e("option[value=publish]",q).attr("selected",true);e(".edit-post-status","#misc-publishing-actions").hide()}else{if(e("#original_post_status").val()=="future"||e("#original_post_status").val()=="draft"){if(i.length){i.remove();q.val(e("#hidden_post_status").val())}}else{i.html(postL10n.published)}if(q.is(":hidden")){e(".edit-post-status","#misc-publishing-actions").show()}}e("#post-status-display").html(e("option:selected",q).text());if(e("option:selected",q).val()=="private"||e("option:selected",q).val()=="publish"){e("#save-post").hide()}else{e("#save-post").show();if(e("option:selected",q).val()=="pending"){e("#save-post").show().val(postL10n.savePending)}else{e("#save-post").show().val(postL10n.saveDraft)}}return true}e(".edit-visibility","#visibility").click(function(){if(e("#post-visibility-select").is(":hidden")){d();e("#post-visibility-select").slideDown("normal");e(this).hide()}return false});e(".cancel-post-visibility","#post-visibility-select").click(function(){e("#post-visibility-select").slideUp("normal");e("#visibility-radio-"+e("#hidden-post-visibility").val()).attr("checked",true);e("#post_password").val(e("#hidden_post_password").val());e("#sticky").attr("checked",e("#hidden-post-sticky").attr("checked"));e("#post-visibility-display").html(a);e(".edit-visibility","#visibility").show();c();return false});e(".save-post-visibility","#post-visibility-select").click(function(){var g=e("#post-visibility-select");g.slideUp("normal");e(".edit-visibility","#visibility").show();c();if(e("input:radio:checked",g).val()!="public"){e("#sticky").attr("checked",false)}if(true==e("#sticky").attr("checked")){f="Sticky"}else{f=""}e("#post-visibility-display").html(postL10n[e("input:radio:checked",g).val()+f]);return false});e("input:radio","#post-visibility-select").change(function(){d()});e("#timestampdiv").siblings("a.edit-timestamp").click(function(){if(e("#timestampdiv").is(":hidden")){e("#timestampdiv").slideDown("normal");e(this).hide()}return false});e(".cancel-timestamp","#timestampdiv").click(function(){e("#timestampdiv").slideUp("normal");e("#mm").val(e("#hidden_mm").val());e("#jj").val(e("#hidden_jj").val());e("#aa").val(e("#hidden_aa").val());e("#hh").val(e("#hidden_hh").val());e("#mn").val(e("#hidden_mn").val());e("#timestampdiv").siblings("a.edit-timestamp").show();c();return false});e(".save-timestamp","#timestampdiv").click(function(){if(c()){e("#timestampdiv").slideUp("normal");e("#timestampdiv").siblings("a.edit-timestamp").show()}return false});e("#post-status-select").siblings("a.edit-post-status").click(function(){if(e("#post-status-select").is(":hidden")){e("#post-status-select").slideDown("normal");e(this).hide()}return false});e(".save-post-status","#post-status-select").click(function(){e("#post-status-select").slideUp("normal");e("#post-status-select").siblings("a.edit-post-status").show();c();return false});e(".cancel-post-status","#post-status-select").click(function(){e("#post-status-select").slideUp("normal");e("#post_status").val(e("#hidden_post_status").val());e("#post-status-select").siblings("a.edit-post-status").show();c();return false})}if(e("#edit-slug-box").length){editPermalink=function(g){var h,l=0,k=e("#editable-post-name"),m=k.html(),p=e("#post_name"),q=p.val(),n=e("#edit-slug-buttons"),o=n.html(),j=e("#editable-post-name-full").html();e("#view-post-btn").hide();n.html('<a href="#" class="save button">'+postL10n.ok+'</a> <a class="cancel" href="#">'+postL10n.cancel+"</a>");n.children(".save").click(function(){var i=k.children("input").val();e.post(ajaxurl,{action:"sample-permalink",post_id:g,new_slug:i,new_title:e("#title").val(),samplepermalinknonce:e("#samplepermalinknonce").val()},function(r){e("#edit-slug-box").html(r);n.html(o);p.attr("value",i);makeSlugeditClickable();e("#view-post-btn").show()});return false});e(".cancel","#edit-slug-buttons").click(function(){e("#view-post-btn").show();k.html(m);n.html(o);p.attr("value",q);return false});for(h=0;h<j.length;++h){if("%"==j.charAt(h)){l++}}slug_value=(l>j.length/4)?"":j;k.html('<input type="text" id="new-post-slug" value="'+slug_value+'" />').children("input").keypress(function(r){var i=r.keyCode||0;if(13==i){n.children(".save").click();return false}if(27==i){n.children(".cancel").click();return false}p.attr("value",this.value)}).focus()};makeSlugeditClickable=function(){e("#editable-post-name").click(function(){e("#edit-slug-buttons").children(".edit-slug").click()})};makeSlugeditClickable()}if(e("#title").val()==""){e("#title").siblings("#title-prompt-text").css("visibility","")}e("#title-prompt-text").click(function(){e(this).css("visibility","hidden").siblings("#title").focus()});e("#title").blur(function(){if(this.value==""){e(this).siblings("#title-prompt-text").css("visibility","")}}).focus(function(){e(this).siblings("#title-prompt-text").css("visibility","hidden")}).keydown(function(g){e(this).siblings("#title-prompt-text").css("visibility","hidden");e(this).unbind(g)})});
\ No newline at end of file
+var tagBox,commentsBox,editPermalink,makeSlugeditClickable,WPSetThumbnailHTML,WPSetThumbnailID,WPRemoveThumbnail;function array_unique_noempty(b){var c=[];jQuery.each(b,function(a,d){d=jQuery.trim(d);if(d&&jQuery.inArray(d,c)==-1){c.push(d)}});return c}(function(a){tagBox={clean:function(b){return b.replace(/\s*,\s*/g,",").replace(/,+/g,",").replace(/[,\s]+$/,"").replace(/^[,\s]+/,"")},parseTags:function(e){var h=e.id,b=h.split("-check-num-")[1],d=a(e).closest(".tagsdiv"),g=d.find(".the-tags"),c=g.val().split(","),f=[];delete c[b];a.each(c,function(i,j){j=a.trim(j);if(j){f.push(j)}});g.val(this.clean(f.join(",")));this.quickClicks(d);return false},quickClicks:function(d){var g=a(".the-tags",d),e=a(".tagchecklist",d),f=a(d).attr("id"),b,c;if(!g.length){return}c=g.attr("disabled");b=g.val().split(",");e.empty();a.each(b,function(i,k){var j,h;k=a.trim(k);if(!k){return}j=a("<span />").text(k);if(!c){h=a('<a id="'+f+"-check-num-"+i+'" class="ntdelbutton">X</a>');h.click(function(){tagBox.parseTags(this)});j.prepend("&nbsp;").prepend(h)}e.append(j)})},flushTags:function(e,b,g){b=b||false;var i,c=a(".the-tags",e),h=a("input.newtag",e),d;i=b?a(b).text():h.val();tagsval=c.val();d=tagsval?tagsval+","+i:i;d=this.clean(d);d=array_unique_noempty(d.split(",")).join(",");c.val(d);this.quickClicks(e);if(!b){h.val("")}if("undefined"==typeof(g)){h.focus()}return false},get:function(c){var b=c.substr(c.indexOf("-")+1);a.post(ajaxurl,{action:"get-tagcloud",tax:b},function(e,d){if(0==e||"success"!=d){e=wpAjax.broken}e=a('<p id="tagcloud-'+b+'" class="the-tagcloud">'+e+"</p>");a("a",e).click(function(){tagBox.flushTags(a(this).closest(".inside").children(".tagsdiv"),this);return false});a("#"+c).after(e)})},init:function(){var b=this,c=a("div.ajaxtag");a(".tagsdiv").each(function(){tagBox.quickClicks(this)});a("input.tagadd",c).click(function(){b.flushTags(a(this).closest(".tagsdiv"))});a("div.taghint",c).click(function(){a(this).css("visibility","hidden").parent().siblings(".newtag").focus()});a("input.newtag",c).blur(function(){if(this.value==""){a(this).parent().siblings(".taghint").css("visibility","")}}).focus(function(){a(this).parent().siblings(".taghint").css("visibility","hidden")}).keyup(function(d){if(13==d.which){tagBox.flushTags(a(this).closest(".tagsdiv"));return false}}).keypress(function(d){if(13==d.which){d.preventDefault();return false}}).each(function(){var d=a(this).closest("div.tagsdiv").attr("id");a(this).suggest(ajaxurl+"?action=ajax-tag-search&tax="+d,{delay:500,minchars:2,multiple:true,multipleSep:","})});a("#post").submit(function(){a("div.tagsdiv").each(function(){tagBox.flushTags(this,false,1)})});a("a.tagcloud-link").click(function(){tagBox.get(a(this).attr("id"));a(this).unbind().click(function(){a(this).siblings(".the-tagcloud").toggle();return false});return false})}};commentsBox={st:0,get:function(d,c){var b=this.st,e;if(!c){c=20}this.st+=c;this.total=d;a("#commentsdiv img.waiting").show();e={action:"get-comments",mode:"single",_ajax_nonce:a("#add_comment_nonce").val(),post_ID:a("#post_ID").val(),start:b,num:c};a.post(ajaxurl,e,function(f){f=wpAjax.parseAjaxResponse(f);a("#commentsdiv .widefat").show();a("#commentsdiv img.waiting").hide();if("object"==typeof f&&f.responses[0]){a("#the-comment-list").append(f.responses[0].data);theList=theExtraList=null;a("a[className*=':']").unbind();setCommentsList();if(commentsBox.st>commentsBox.total){a("#show-comments").hide()}else{a("#show-comments").html(postL10n.showcomm)}return}else{if(1==f){a("#show-comments").parent().html(postL10n.endcomm);return}}a("#the-comment-list").append('<tr><td colspan="2">'+wpAjax.broken+"</td></tr>")});return false}};WPSetThumbnailHTML=function(b){a(".inside","#postimagediv").html(b)};WPSetThumbnailID=function(c){var b=a("input[value=_thumbnail_id]","#list-table");if(b.size()>0){a("#meta\\["+b.attr("id").match(/[0-9]+/)+"\\]\\[value\\]").text(c)}};WPRemoveThumbnail=function(b){a.post(ajaxurl,{action:"set-post-thumbnail",post_id:a("#post_ID").val(),thumbnail_id:-1,_ajax_nonce:b,cookie:encodeURIComponent(document.cookie)},function(c){if(c=="0"){alert(setPostThumbnailL10n.error)}else{WPSetThumbnailHTML(c)}})}})(jQuery);jQuery(document).ready(function(e){var b,a,f="";postboxes.add_postbox_toggles(pagenow);if(e("#tagsdiv-post_tag").length){tagBox.init()}else{e("#side-sortables, #normal-sortables, #advanced-sortables").children("div.postbox").each(function(){if(this.id.indexOf("tagsdiv-")===0){tagBox.init();return false}})}e(".categorydiv").each(function(){var l=e(this).attr("id"),h=false,k,m,j,g,i;j=l.split("-");j.shift();g=j.join("-");i=g+"_tab";if(g=="category"){i="cats"}e("a","#"+g+"-tabs").click(function(){var n=e(this).attr("href");e(this).parent().addClass("tabs").siblings("li").removeClass("tabs");e("#"+g+"-tabs").siblings(".tabs-panel").hide();e(n).show();if("#"+g+"-all"==n){deleteUserSetting(i)}else{setUserSetting(i,"pop")}return false});if(getUserSetting(i)){e('a[href="#'+g+'-pop"]',"#"+g+"-tabs").click()}e("#new"+g).one("focus",function(){e(this).val("").removeClass("form-input-tip")});e("#"+g+"-add-submit").click(function(){e("#new"+g).focus()});k=function(){if(h){return}h=true;var n=jQuery(this),p=n.is(":checked"),o=n.val().toString();e("#in-"+g+"-"+o+", #in-"+g+"-category-"+o).attr("checked",p);h=false};catAddBefore=function(n){if(!e("#new"+g).val()){return false}n.data+="&"+e(":checked","#"+g+"checklist").serialize();return n};m=function(q,p){var o,n=e("#new"+g+"_parent");if("undefined"!=p.parsed.responses[0]&&(o=p.parsed.responses[0].supplemental.newcat_parent)){n.before(o);n.remove()}};e("#"+g+"checklist").wpList({alt:"",response:g+"-ajax-response",addBefore:catAddBefore,addAfter:m});e("#"+g+"-add-toggle").click(function(){e("#"+g+"-adder").toggleClass("wp-hidden-children");e('a[href="#'+g+'-all"]',"#"+g+"-tabs").click();e("#new"+g).focus();return false});e("#"+g+"checklist li.popular-category :checkbox, #"+g+"checklist-pop :checkbox").live("click",function(){var n=e(this),p=n.is(":checked"),o=n.val();if(o&&n.parents("#taxonomy-"+g).length){e("#in-"+g+"-"+o+", #in-popular-"+g+"-"+o).attr("checked",p)}})});if(e("#postcustom").length){e("#the-list").wpList({addAfter:function(g,h){e("table#list-table").show()},addBefore:function(g){g.data+="&post_id="+e("#post_ID").val();return g}})}if(e("#submitdiv").length){b=e("#timestamp").html();a=e("#post-visibility-display").html();function d(){var g=e("#post-visibility-select");if(e("input:radio:checked",g).val()!="public"){e("#sticky").attr("checked",false);e("#sticky-span").hide()}else{e("#sticky-span").show()}if(e("input:radio:checked",g).val()!="password"){e("#password-span").hide()}else{e("#password-span").show()}}function c(){var n,p,h,r,o="page"==pagenow||"page-new"==pagenow,q=e("#post_status"),i=e("option[value=publish]",q),g=e("#aa").val(),l=e("#mm").val(),m=e("#jj").val(),k=e("#hh").val(),j=e("#mn").val();n=new Date(g,l-1,m,k,j);p=new Date(e("#hidden_aa").val(),e("#hidden_mm").val()-1,e("#hidden_jj").val(),e("#hidden_hh").val(),e("#hidden_mn").val());h=new Date(e("#cur_aa").val(),e("#cur_mm").val()-1,e("#cur_jj").val(),e("#cur_hh").val(),e("#cur_mn").val());if(n.getFullYear()!=g||(1+n.getMonth())!=l||n.getDate()!=m||n.getMinutes()!=j){e(".timestamp-wrap","#timestampdiv").addClass("form-invalid");return false}else{e(".timestamp-wrap","#timestampdiv").removeClass("form-invalid")}if(n>h&&e("#original_post_status").val()!="future"){r=postL10n.publishOnFuture;e("#publish").val(postL10n.schedule)}else{if(n<=h&&e("#original_post_status").val()!="publish"){r=postL10n.publishOn;e("#publish").val(postL10n.publish)}else{r=postL10n.publishOnPast;if(o){e("#publish").val(postL10n.updatePage)}else{e("#publish").val(postL10n.updatePost)}}}if(p.toUTCString()==n.toUTCString()){e("#timestamp").html(b)}else{e("#timestamp").html(r+" <b>"+e("option[value="+e("#mm").val()+"]","#mm").text()+" "+m+", "+g+" @ "+k+":"+j+"</b> ")}if(e("input:radio:checked","#post-visibility-select").val()=="private"){if(o){e("#publish").val(postL10n.updatePage)}else{e("#publish").val(postL10n.updatePost)}if(i.length==0){q.append('<option value="publish">'+postL10n.privatelyPublished+"</option>")}else{i.html(postL10n.privatelyPublished)}e("option[value=publish]",q).attr("selected",true);e(".edit-post-status","#misc-publishing-actions").hide()}else{if(e("#original_post_status").val()=="future"||e("#original_post_status").val()=="draft"){if(i.length){i.remove();q.val(e("#hidden_post_status").val())}}else{i.html(postL10n.published)}if(q.is(":hidden")){e(".edit-post-status","#misc-publishing-actions").show()}}e("#post-status-display").html(e("option:selected",q).text());if(e("option:selected",q).val()=="private"||e("option:selected",q).val()=="publish"){e("#save-post").hide()}else{e("#save-post").show();if(e("option:selected",q).val()=="pending"){e("#save-post").show().val(postL10n.savePending)}else{e("#save-post").show().val(postL10n.saveDraft)}}return true}e(".edit-visibility","#visibility").click(function(){if(e("#post-visibility-select").is(":hidden")){d();e("#post-visibility-select").slideDown("normal");e(this).hide()}return false});e(".cancel-post-visibility","#post-visibility-select").click(function(){e("#post-visibility-select").slideUp("normal");e("#visibility-radio-"+e("#hidden-post-visibility").val()).attr("checked",true);e("#post_password").val(e("#hidden_post_password").val());e("#sticky").attr("checked",e("#hidden-post-sticky").attr("checked"));e("#post-visibility-display").html(a);e(".edit-visibility","#visibility").show();c();return false});e(".save-post-visibility","#post-visibility-select").click(function(){var g=e("#post-visibility-select");g.slideUp("normal");e(".edit-visibility","#visibility").show();c();if(e("input:radio:checked",g).val()!="public"){e("#sticky").attr("checked",false)}if(true==e("#sticky").attr("checked")){f="Sticky"}else{f=""}e("#post-visibility-display").html(postL10n[e("input:radio:checked",g).val()+f]);return false});e("input:radio","#post-visibility-select").change(function(){d()});e("#timestampdiv").siblings("a.edit-timestamp").click(function(){if(e("#timestampdiv").is(":hidden")){e("#timestampdiv").slideDown("normal");e(this).hide()}return false});e(".cancel-timestamp","#timestampdiv").click(function(){e("#timestampdiv").slideUp("normal");e("#mm").val(e("#hidden_mm").val());e("#jj").val(e("#hidden_jj").val());e("#aa").val(e("#hidden_aa").val());e("#hh").val(e("#hidden_hh").val());e("#mn").val(e("#hidden_mn").val());e("#timestampdiv").siblings("a.edit-timestamp").show();c();return false});e(".save-timestamp","#timestampdiv").click(function(){if(c()){e("#timestampdiv").slideUp("normal");e("#timestampdiv").siblings("a.edit-timestamp").show()}return false});e("#post-status-select").siblings("a.edit-post-status").click(function(){if(e("#post-status-select").is(":hidden")){e("#post-status-select").slideDown("normal");e(this).hide()}return false});e(".save-post-status","#post-status-select").click(function(){e("#post-status-select").slideUp("normal");e("#post-status-select").siblings("a.edit-post-status").show();c();return false});e(".cancel-post-status","#post-status-select").click(function(){e("#post-status-select").slideUp("normal");e("#post_status").val(e("#hidden_post_status").val());e("#post-status-select").siblings("a.edit-post-status").show();c();return false})}if(e("#edit-slug-box").length){editPermalink=function(g){var h,l=0,k=e("#editable-post-name"),m=k.html(),p=e("#post_name"),q=p.val(),n=e("#edit-slug-buttons"),o=n.html(),j=e("#editable-post-name-full").html();e("#view-post-btn").hide();n.html('<a href="#" class="save button">'+postL10n.ok+'</a> <a class="cancel" href="#">'+postL10n.cancel+"</a>");n.children(".save").click(function(){var i=k.children("input").val();e.post(ajaxurl,{action:"sample-permalink",post_id:g,new_slug:i,new_title:e("#title").val(),samplepermalinknonce:e("#samplepermalinknonce").val()},function(r){e("#edit-slug-box").html(r);n.html(o);p.attr("value",i);makeSlugeditClickable();e("#view-post-btn").show()});return false});e(".cancel","#edit-slug-buttons").click(function(){e("#view-post-btn").show();k.html(m);n.html(o);p.attr("value",q);return false});for(h=0;h<j.length;++h){if("%"==j.charAt(h)){l++}}slug_value=(l>j.length/4)?"":j;k.html('<input type="text" id="new-post-slug" value="'+slug_value+'" />').children("input").keypress(function(r){var i=r.keyCode||0;if(13==i){n.children(".save").click();return false}if(27==i){n.children(".cancel").click();return false}p.attr("value",this.value)}).focus()};makeSlugeditClickable=function(){e("#editable-post-name").click(function(){e("#edit-slug-buttons").children(".edit-slug").click()})};makeSlugeditClickable()}if(e("#title").val()==""){e("#title").siblings("#title-prompt-text").css("visibility","")}e("#title-prompt-text").click(function(){e(this).css("visibility","hidden").siblings("#title").focus()});e("#title").blur(function(){if(this.value==""){e(this).siblings("#title-prompt-text").css("visibility","")}}).focus(function(){e(this).siblings("#title-prompt-text").css("visibility","hidden")}).keydown(function(g){e(this).siblings("#title-prompt-text").css("visibility","hidden");e(this).unbind(g)})});
\ No newline at end of file

wp-includes/script-loader.php+1 −1 modified

@@ -275,7 +275,7 @@ function wp_default_scripts( &$scripts ) {
 		$scripts->add( 'postbox', "/wp-admin/js/postbox$suffix.js", array('jquery-ui-sortable'), '20091012' );
 		$scripts->add_data( 'postbox', 'group', 1 );
 
-		$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array('suggest', 'wp-lists', 'postbox'), '20100526' );
+		$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array('suggest', 'wp-lists', 'postbox'), '20110203' );
 		$scripts->add_data( 'post', 'group', 1 );
 		$scripts->localize( 'post', 'postL10n', array(
 			'tagsUsed' =>  __('Tags used on this post:'),

0ee19cf7af14

Properly encode the post title. Props koopersmith, nacin. For 3.0

https://github.com/wordpress/wordpressryanFeb 5, 2011Fixed in 3.0.5via llm-release-walk

commit

1 file changed · +1 −1

wp-admin/includes/template.php+1 −1 modified

@@ -1185,7 +1185,7 @@ function get_inline_data($post) {
 	if ( ! current_user_can($post_type_object->cap->edit_post, $post->ID) )
 		return;
 
-	$title = esc_attr( get_the_title( $post->ID ) );
+	$title = htmlspecialchars( trim( $post->post_title ), ENT_QUOTES );
 
 	echo '
 <div class="hidden" id="inline_' . $post->ID . '">

18deed9e053d

A little escaping paranoia, just to be safe. (Already sanitized, higher up). for 3.0

https://github.com/wordpress/wordpressmarkjaquithFeb 7, 2011Fixed in 3.0.5via llm-release-walk

commit

1 file changed · +3 −3

wp-admin/includes/template.php+3 −3 modified

@@ -1192,9 +1192,9 @@ function get_inline_data($post) {
 	<div class="post_title">' . $title . '</div>
 	<div class="post_name">' . apply_filters('editable_slug', $post->post_name) . '</div>
 	<div class="post_author">' . $post->post_author . '</div>
-	<div class="comment_status">' . $post->comment_status . '</div>
-	<div class="ping_status">' . $post->ping_status . '</div>
-	<div class="_status">' . $post->post_status . '</div>
+	<div class="comment_status">' . esc_html( $post->comment_status ) . '</div>
+	<div class="ping_status">' . esc_html( $post->ping_status ) . '</div>
+	<div class="_status">' . esc_html( $post->post_status ) . '</div>
 	<div class="jj">' . mysql2date( 'd', $post->post_date, false ) . '</div>
 	<div class="mm">' . mysql2date( 'm', $post->post_date, false ) . '</div>
 	<div class="aa">' . mysql2date( 'Y', $post->post_date, false ) . '</div>

6f31fa6e2996

Defense in depth for comment text. For 3.0

https://github.com/wordpress/wordpressryanFeb 5, 2011Fixed in 3.0.5via llm-release-walk

commit

1 file changed · +2 −2

wp-includes/default-filters.php+2 −2 modified

@@ -31,8 +31,8 @@
 	add_filter( $filter, 'wp_filter_kses' );
 }
 
-// Kses only for textarea saves displays
-foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description' ) as $filter ) {
+// Kses only for textarea admin displays
+foreach ( array( 'term_description', 'link_description', 'link_notes', 'user_description', 'comment_text' ) as $filter ) {
 	add_filter( $filter, 'wp_kses_data' );
 }

Vulnerability mechanics

Root cause

"Multiple instances of missing or insufficient output escaping allow authenticated users to inject arbitrary HTML/JavaScript through post titles, post status fields, and tag names."

Attack vector

An attacker who is an authenticated WordPress user can inject arbitrary HTML or JavaScript through several input vectors. The Quick/Bulk Edit title field (post_title) was not properly encoded when rendered in the inline edit data [CWE-79][patch_id=1995828]. The `post_status`, `comment_status`, and `ping_status` fields were output without escaping in the same inline data block [CWE-79][patch_id=1995829]. Tags entered in the tags meta box were concatenated directly into innerHTML without text-node escaping, allowing script payloads in tag names [CWE-79][patch_id=1995832]. The advisory does not specify a particular network path; the attacker would use the WordPress admin interface to submit crafted values that later render unsafely for other users.

Affected code

The vulnerabilities span multiple files. In `wp-admin/includes/template.php`, the `get_inline_data()` function outputs the post title, `comment_status`, `ping_status`, and `post_status` without proper HTML escaping [patch_id=1995828][patch_id=1995829]. In `wp-admin/js/post.dev.js`, the `quickClicks` function constructs tag list HTML by concatenating raw tag values, allowing script injection via tag names [patch_id=1995832]. Additionally, `wp-includes/default-filters.php` lacked `sanitize_key()` filters on `post_status`, `comment_status`, and `ping_status` before database insertion [patch_id=1995830].

What the fix does

Patch [patch_id=1995828] replaces `esc_attr(get_the_title())` with `htmlspecialchars(trim($post->post_title), ENT_QUOTES)` to properly encode special characters in the post title for inline editing. Patch [patch_id=1995829] wraps `comment_status`, `ping_status`, and `post_status` with `esc_html()` to ensure these values are safely HTML-escaped before rendering. Patch [patch_id=1995830] adds `sanitize_key()` filters on the `pre_post_status`, `pre_post_comment_status`, and `pre_post_ping_status` hooks, sanitizing these values at the point of database insertion as defense in depth. Patch [patch_id=1995832] rewrites the `quickClicks` function in `post.dev.js` to use jQuery's `.text(val)` method, which safely sets text content via the DOM text node rather than concatenating raw strings into HTML markup, preventing XSS through tag names.

Preconditions

authAttacker must be an authenticated WordPress user with the ability to create or edit posts.
networkAttacker must have access to the WordPress admin interface (Quick/Bulk Edit, tags meta box, or post status fields).

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

codex.wordpress.org/Version_3.0.5nvdPatchVendor Advisory
core.trac.wordpress.org/changeset/17397nvdPatchVendor Advisory
core.trac.wordpress.org/changeset/17401nvdPatchVendor Advisory
core.trac.wordpress.org/changeset/17406nvdPatchVendor Advisory
core.trac.wordpress.org/changeset/17412nvdPatchVendor Advisory
www.wordpress.org/news/2011/02/wordpress-3-0-5/nvdPatchVendor Advisory
lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.htmlnvdThird Party Advisory
lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.htmlnvdThird Party Advisory
lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.htmlnvdThird Party Advisory
openwall.com/lists/oss-security/2011/02/08/7nvdMailing ListThird Party Advisory
openwall.com/lists/oss-security/2011/02/09/13nvdMailing ListThird Party Advisory
secunia.com/advisories/43729nvdThird Party Advisory
www.debian.org/security/2011/dsa-2190nvdThird Party Advisory
www.securityfocus.com/bid/46249nvdThird Party AdvisoryVDB Entry
www.vupen.com/english/advisories/2011/0658nvdThird Party Advisory
www.vupen.com/english/advisories/2011/0721nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000